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METHODE D'ENCRYPTAGE MULTI-MODULES 

La presents invention concerne le donnaine du chlffrement, ou encryptage, et 
du d6chlffrage ou decryptage de donnees. et partlculierement de donnees 
devant rester inaccessibles aux personnes ou appareils non autorises dans le 
5 cadre de systemes de t6l6vlsion a peage. Dans de tels systemes, les 
donn6es sent chiffrees dans un environnement s6curis6, abritant des 
puissances de calcul importantes. et appel6 sous-syst6me d'encodage. puis 
envoy^es, par des moyens connus en soi, vers au moins un sous-syst^me 
d6centralls6 oil elles sent d6chiffr6es. g6n6ralement au moyen d'un IRD 
10 (Integrated Receiver Decoder) et avec I'aide d'une carte d puce. Cette carte d 
puce et le sous-systeme d6centralis6 qui coop6re avec elle sont librement 
accessibles par une personne eventuellement non autoris§e. 

II est connu de chaTner divers moyens d'encryptage-d6cryptage dans un 
systeme de chiffrage-d6chiffrage. Dans toute la suite, on appellera encryptage 
15 - decryptage un moyen de cryptage particulier utilis§ dans un syst6me plus 
vaste de chiffrage-deciiiffrage. 

On cherche depuis longtemps d optlmiser le fonctionnement de ces systemes 
du triple point de vue de la rapidity, de la place occup6e en m6moire et de la 
s6curit6. La rapldit§ s'entend au sens du temps n6cessaire pour d6chiffrer les 
20 donnees regues. 

* II est connu des systemes d'encryptage - decryptage S cl6s sym6trlques. Leur 

s6curit6 inh6rente peut etre quallfi6e en fonction de plusieurs criteres. 

Le premier crit6re est celui de la s6curit§ physique, relative a la facllite ou a la 
difficult^ d'une m6thode d'investigation par extraction de certains composants, 
25 suivie de leur remplacement 6ventuel par d'autres composants. Ces 
composants de remplacement, destines a renseigner la personne non 
autorisee sur la nature et le fonctionnement du systeme de chiffrage- 
d6chiffrage. sont choisis par elle de manlere S ne pas §tre d6tect6s. ou le 
moins possible, par le reste du syst6me. 
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Pour ameliorer la securite du systeme de chiffrement, il a ete propose des 
algorithmes a cle asym6triques, tels que les systemes dits RSA (Rivest, 
Shamir et Adieman). Ces systemes comprennent la generation d'une paire de 
cl6s appariees, I'une dite publique servant au chiffrement, et I'autre dite priv6e 
5 servant au d6chiffrement. Ces algorithmes pr^sentent un haut niveau de 
securite tant systeme que physique, lis sont par centre plus lents que les 
systemes traditionnels, surtout au stade du chiffrement. 

Les techniques d'attaque les plus recentes font appel a la notion dite DPA, de 
I'anglais Differential Power Analysis. Ces m6thodes sont bashes sur des 

10 supputations, v§rifiables au bout d'un grand nombre d'essais, sur la presence 
d'un 0 ou d'un 1 dans une position donn6e de la cl6 de chiffrement. Elles sont 
quasiment non destructives, ce qui leur conf^re une bonne ind§tectabilit6, et 
font appel a la fois a une composante d'intruslon physique et d une 
composante d'analyse math6matique. Leur fonctionnement rappelle les 

15 techniques d'investigation de champs p6trolif6res, ou une explosion de 
puissance connue est generee en surface et ou des 6couteurs et sondes, 
places ^ des distances 6galement connues du lieu de I'explosion, permettent 
d'^mettre des suppositions sur la composition stratigraphique du sous-sol 
sans trop avoir a le creuser, grdce ^ la r6flexion des ondes de choc par les 

20 limites de couches sedimentaires dans ce sous-sol. Les attaques DPA sont 
decrites notamment dans le § 2.1. du document "A Cautionary Note 
Regardirig Evaluation of AES Candidates on Smart-Cards", public le ler 
f6vrier 1999 par Suresh Chari, Charanjit Jutia, Josyula R. Rao et Pankaj 
Rohatgi, de I'lBM T.J. Watson Research Center, Yorktown Heights, NY. 

25 L'exigence de devoir r^sister aux attaques DPA oblige a utiliser des syst6mes 
de broulllage dit "whitening", soit dans les informations ^ I'entr^e, soit en 
sortie d'un algorithme de chiffrement-d6chiffrement. La technique du 
whitening est decrite dans le § 3.5 du m§me document pr^citd. 

De plus le fait que les puissances de calcul soient limit^es dans le sous- 
30 systeme d§centralis6 d'un systeme de t6l6vision d p6age cr6e un probleme, 
qui n'a jamais encore 6t6 resolu de fagon satisfaisante, pour effectuer dans 
une mesure suffisante le chaTnage d6crit pr§c6demment. 




La chamage peut demarrer des que des donnees calculees en sortie du 
premier module sont partiellement disponibles pour etre traitees par le second 
module. 

Linvention permet de se premunir contre les attaques pr6citees en combinant 
5 divers moyens d'encryptage-decryptage dans un systeme de chiffrage- 
dechiffrage, et en associant eventuellement une cx)ncatenation ou imbrication 
partielle a la sequence dans laquelle se suivent ces moyens. 

Dans une forme particulidre de r6alisation de invention, le syst6me de 
chiffrage-dechiffrage comprend un sous-systeme d'encodage oCi trois 
10 algorithmes sont utilises s6quentiellement: 

a) un algorithme A1 asym6trique ^ cl6 priv6e d1. Get algorithme A1 
effectue une signature sur des donn§es en clair, repr6sent6es par un 
message m, cette operation delivrant un premier cryptogramme c1 . au moyen 
d'operations mathematiques g^neralement notees dans la profession par la 

15 formule : c1 = m exposant d1, modulo n1. Dans cette formule, n1 fait partie de 
la cl6 publique de I'algorithme asym6trique A1 , modulo repr6sente l'op6rateur 
math6matique bien connu des congruences dans Tensemble des entlers 
relatifs, et d1 est la cl6 privee de Talgorithme A. 

b) un algorithme S symetrique utilisant une cle secrete K. Get algorithme 
20 convertit le cryptogramme c1 en un cryptogramme c2. 

c) un algorithme A2 asym6trique ^ cl6 priv6e d2. Get algorithme A2 
convertit le cryptogramme c2 en un cryptogramme c3, au moyen de 
reparation math6matique not6e, comme precedemment, par : c3 = c2 
exposant d2 mod n2, formule dans laquelle n2 fait partie de la cle publique de 

25 ralgorithme asymetrique A2. et d2 est la cl6 privee de I'algorithme A2 

Le cryptogramme c3 part du sous-systeme d'encodage et parvient au sous- 
systeme decentralise par des moyens connus en sol. Dans le cas de 
systemes de television a peage. il peut s'agir aussi bien de donn6es vid6o 
que de messages. 




moyens de calcul necessaires dans le sous-systeme decentralise sont bien 
plus reduits que dans le sous-systeme d'encodage. 

A titre d'exemple et pour fixer les idees, les etapes a) et c) c'est-a-dire les 
etapes d'encryptage avec cles privees, sont 20 fois plus longues que les 
5 etapes d) et f) de decryptage avec cl^s publlques. 

Dans une forme particuliere de realisation de Tinvention, derivee de la 
precedente, les algorithmes A1 et A2 sont identiques de meme que leurs 
contreparties AV et A2\ 

Dans une forme particuliere de realisation de invention, egalement d6riv6e 
10 de la precedente, dans Tetape c) on utilise la cle publique e2, n2 de 
Talgorithme asymetrique A2 alors que dans Tetape d) on decrypte le 
cryptogramme c3 avec la cle privee d2 de cet algorithme. Cette forme 
constitue une alternative possible lorsque les ressources du sous-systSme 
decentralise en puissance de calcul sont loin d'etre atteintes. 

15 Bien que les cartes a puces sont utilisees majoritairement pour le decryptage 
des donnees, il existe egalement des cartes d puces ayant les capacites 
necessaires pour effectuer des operations de cryptage. Dans ce cas, les 
attaques decrites plus haut vont se porter egalement sur ces cartes de 
cryptage qui fonctionnent hors d'endroits proteges tels qu"un centre de 

20 gestion. C'est pourquoi la methode selon Tinvention s'applique egalement aux 
operations de cryptage en serie c'est d dire que le module aval debute son 
operation de cryptage des qu'une partie des informations deiivrees par le 
module amont sont disponibles. Ce precede d Tavantage d'imbriquer les 
differents modules de cryptage avec comme consequence que le resultat du 

25 module amont n'est pas disponible compietement d un temps donne. De plus, 
le module en aval ne debute pas ses operations avec un resultat complet 
mais sur des parties ce qui rend impraticable d'interpreter le fonctionnement 
d'un module par rapport a un etat d'entree ou de sortie connu. 

La presente invention sera comprise plus en detail grace aux dessins 
30 suivants, pris a titre non limitatifs, dans iesquels: 




(voir figure 3) et lors du decryptage (voir figure 4), le module A2' utilise la cle 
priv6e d2, n2 pour opSrer. Bien que cette configuration pr^sente une 
surcharge de travail d I'ensemble de decryptage, I'utilisation d'une cle privee 
renforce la s6curit6 offerte par le module A2. 

5 L'exemple illustr6 aux figures 3 et 4 n'est pas restrictif pour d'autres 
combinaisons. Par exemple, il est possible de configurer le module A1 pour 
qu'il effectue I'operation d'encryptage avec la cl^ publique et le decryptage 
avec la cl6 privee. 
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II est ^alement possible de remplacer le module d'encryptage-d§cryptage a 
cl6 secr6te S par un module de type d cl6 asym§triques du m§me type que 
les module A1 et A2. 



8. Methode selon la revendication 6, caracterisee en ce que les deux 
modules (A1, A2) utilisent un jeu different de cles privee (d1,n1; d2,n2) et 
publique (e1, n1; e2.n2). 

9. Methode selon la revendication 5, caract^ris^e en ce que lors de 
rencryptage, le dernier module (A2) utilise la cl6 dite publique (e2,n2) et lors 
du decryptage, le premier module (A2) utilise la cle dite privee (d2,n2). 

10. Methode selon les revendications 1^3, caract^ris^e en ce qu'elle met 
en oeuvre trois modules (A1, A. A2) d'encryptage-d6cryptage S cl6s 
asymetriques. 



Unveranderliches Exemplar^^ 
gxempiairo invariable 
Esemplare immutabtie 



m 




prk=d1 ,n1 
C1= Im'^Mm 



C3 



prk=d2.n2 
C3= |C2^^1n2 



Fig. 1 
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Fig. 2 
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MULTI -MODULE ENCRYPTION METHOD 




The present invention relates to the domain of the 
encipherment , or encryption, and the decipherment or 
5 decryption of data, and particularly of data which is 
to remain inaccessible to unauthorized persons or 
appliances within the framework of pay-per-view 
television systems. In such systems, the data are 
enciphered in a secure environment, which accommodates 

10 considerable computational power, and is called the 
encoding subsystem, and are then sent, by means known 
per se, to at least one decentralized subsystem where 
they are deciphered, generally by means of an IRD 
(Integrated Receiver Decoder) and with the aid of a 

15 chip card. A possibly unauthorized person can gain 
unrestricted access to this chip card and the 
decentralized subsystem which cooperates with it. 

It is known practice to chain together various 
2 0 encryption/decryption means in an enciphering/ 
deciphering system. In all of what follows, the 
expression encryption/ decryption will be used to refer 
to a particular encryption means used in a bigger 
enciphering/deciphering system. 



It has long been sought to optimize the. operation of 
these systems from the triple viewpoint of speed, 
memoary space occupied and security. Speed is understood 
to mean the time required to decipher the data 



Encryption/decryption systems with symmetric keys are 
known. Their inherent security can be gauged as a 
function of several criteria. 



The first criterion is that of physical security, 
relating to the ease or to the difficulty of a method 
of investigation by extracting certain components, this 
being followed by their possible replacement by other 
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components. These replacement components, intended to 
inform the unauthorized person about the nature and 
manner of operation of the enciphering/deciphering 
system, are chosen by him/her in such a way as not to 
be detected, or to be as undetectable as possible, by 
the remainder of the system. 

A second criterion is that of system security, within 
the framework of which attacks are not intrusive from 
the physical viewpoint but call upon analysis of 
mathematical type. Typically, these attacks will be 
conducted by computers of high power which will attempt 
to break the algorithms and the enciphering codes. 

Means of encryption/decryption with symmetric keys are 
for example the systems referred to as DES (Data 
Encryption Standard) . These relatively old means now 
merely offer system security and physical security 
which are entirely relative. It is for this reason in 
particular that increasingly, DES, the lengths of whose 
keys are too small to satisfy the conditions of system 
security, is being replaced by new means of 
encryption/ decryption or with longer keys. Generally, 
these means having symmetric keys call upon algorithms 
comprising enciphering rounds. 

Other attack strategies are referred to as Simple Power 
Analysis and Timing Analysis. In Single Power Analysis, 
one uses the fact that a microprocessor tasked with 
encrypting or decrypting data is connected to a voltage 
source (in general 5 volts) . When it is idle, a fixed 
current of magnitude i flows through it. When it is 
active, the instantaneous magnitude i is dependent, not 
only on the incoming data, but also on the encryption 
algorithm. Simple Power Analysis consists in measuring 
the current i as a function of time. The type of 
algorithm which the microprocessor is performing can be 
deduced from this. 
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In the same way, the method of Timing Analysis consists 
in measuring the duration of computation as a function 
of a sample presented to the decryption module. Thus, 
the relationship between the sample presented and the 
5 time for computing the result makes it possible to 
retrieve the decryption module secret parameters such 
as the key. Such a system is described for example in 
the document ^Timing Attacks on Implementations of 
Diffie-Hellman, RSA, DSS, and Other Systems» published 
10 by Paul Kocher, Cryptography Research, 870 Market St, 
Suite 1088, San Francisco, CA~USA. 

To improve the security of the enciphering system, 
algorithms having asymmetric keys have been proposed, 
Q 15 such as the so-called RSA (Rivest, Shamir and Adleman) 

systems. These systems comprise the generation of a 
j! pair of matched keys, one the so-called public key 

Mi. serving in the enciphering, and the other the so-called 

private key serving in the deciphering. These 

2 0 algorithms exhibit a high level of security, both 
system and physical security. They are on the other 

g hand slower than the traditional systems, especially at 

W the enciphering stage. 

Q 

25 The most recent attack techniques call upon the so- 
called DPA concept, standing for Differential Power 
Analysis. These methods are based on suppositions, 
verifiable after a large number of trials, about the 
presence of a 0 or a 1 in a given position of the 

3 0 enciphering key. They are almost non-destinictive, thus 

rendering them largely undetectable, and call upon both 
a physical intrusion component and a mathematical 
analysis component. Their manner of operation recalls 
the techniques for investigating oil fields, where an 
35 explosion of known power is generated at the surface 
and where earphones and probes, placed at likewise 
known distances from the site of the explosion, enable 
assunptions to be made about the stratigraphic 
composition of the subsurface without having to carry 
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out too much digging, by virtue of the reflecting of 
the shock waves by the bo\indaries of sedimentary beds 
in this subsurface. DPA attacks are described in 
particular in § 2.1. of the document «A Cautionary Note 
Regarding Evaluation of AES Candidates on Smart - Cards » , 
published on 1^^ February 1999 by Suresh Chari, 
Charanjit Jutla, Josyula R. Rao and Pankaj Rohatgi, of 
IBM T- J. Watson Research Center, Yorktown Heights, NY. 

The requirement of having to resist DPA attacks forces 
the use of so-called «whitening» jamming systems, 
either in the input information, or at the output of an 
enciphering/deciphering algorithm. The technique of 
whitening is described in § 3.5 of the same aforesaid 
document . 

Moreover, the fact that the computation powers are 
limited in the decentralized subsystem of a pay-per- 
view television system creates a problem, which has 
never yet been satisfactorily solved, for performing 
the chaining described previously to a sufficient 
extent . 

The objective of the present invention is to make 
available an encrypt ion/ decrypt ion method which is 
resistant to modem methods of investigation such as 
described above. 

The objective aimed at by the present invention is 
achieved by the method described in the characterizing 
part of Claim 1. 

The particular feature of the method lies in the fact 
that an intermediate module does not start up when the 
result from the previous (or upstream) module has 
terminated but begins as soon as already part of the 
information is available. Therefore, for an outside 
observer, it is not possible to establish the input or 
output conditions for this module. 
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Since the deciphering occurs in the decentralized 
subsystem cooperating with the chip card, this chip 
card accommodating only relatively limited 
computational powers as compared with the encoding 
subsystem, it is for example beneficial to use a public 
asymmetric key. operating relatively fast, during the 
last steps of the deciphering. This makes it possible 
on the one hand to preserve the invulnerability 
characteristics of the system on exiting the procedure, 
and on the other hand to concentrate the computational 
power, related essentially to encipherment with the aid 
of the private key, in the encoding subsystem. 

It has been discovered that extra security is afforded 
by the possibility of concatenating, or of partially 
interleaving, two means of encryption/decryption which 
follow one another sequentially. This concatenation or 
partial interleaving is understood to mean the process 
consisting in starting the action of the second 
encryption/decryption means on the data at a moment 
when the first encryption/decryption means has not yet 
terminated its work on these same data. This makes it 
possible to mask the data such as they would result 
from the work of the first module and before they are 
subjected to the action of the second module. 

The chaining can start as soon as data computed at the 
output of the first module are partially available for 
processing by the second module. 

The invention makes it possible to guard against the 
aforesaid attacks by combining various means of 
encryption/decryption in an enciphering/deciphering 
system, and possibly by associating concatenation or 
partial interleaving with the sequence in which these 
mesins follow one another. 
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In a particular embodiment of the invention, the 
enciphering/deciphering system comprises an encoding 
subsystem where three algorithms are used sequentially: 

5 a) an asymmetric algorithm Al with private key dl . 
This algorithm Al performs a signatxire on plain data, 
represented by a message m, this operation delivering a 
first cryptogram cl, by means of mathematical 
operations which are generally denoted in the 

10 profession by the forTuula: cl = m exponent dl , modulo 
nl. In this formula, nl forros part of the public key of 
the asymmetric algorithm Al, modulo represents the 
well-3aiown mathematical operator of congruences within 
the set of relative integers, and dl is the private key 

15 of the algorithm A, 

b) a symmetric algorithm S using a secret key K. This 
algorithm converts the cryptogram cl into a cryptogram 
c2 . 

20 

c) an asymmetric algorithm A2 with private key d2 . 
This algorithm A2 converts the cryptogram c2 into a 
cryptogram c3, by means of the mathematical operation 
denoted, as previously, by: c3 = c2 exponent d2 mod n2, 

25 in which formula n2 forms part of the public key of the 
asymmetric algorithm A2, and d2 is the private key of 
the algorithm A2 . 

The cryptogram c3 leaves the encoding subsystem and 
30 arrives at the decentralized subsystem by means known 
per se. In the case of pay-per-view television systems, 
this may ecjually involve video data or messages. 

The decentralized subsystem uses, in the order reverse 
35 to the above, three algorithms Al' , S' and A2'. These 
three algorithms form part of three 

encryption/decryption means Al-Al' , S-S' and A2-A2', 
distributed between the encoding subsystem and the 
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decentralized subsystem, and representing the 
encryption/decryption system. 

d) the algorithm A2' performs a mathematical 
operation on c3 which restores c2 and is denoted: c2 = 
c3 exponent e2 mod n2 . In this foannula, the set 
consisting of e2 and n2 is the public key of the 
asymmetric algorithm A2-A2' . 

e) the symmetric algorithm S' using the secret key K 
restores the cryptogram cl . 

f) the asymmetric algorithm Al' with public key el, 
nl retrieves m by performing the mathematical operation 
denoted: m = cl exponent el mod nl. 

The concatenation, in the decentralized subsystem, 
consists in starting the decoding step e) whilst c2 has 
not yet been completely restored by the previous step 
d) , and in starting the decoding step f ) whilst cl has 
not been completely restored by step e. The advantage 
is to thwart an attack aimed for example firstly at 
extracting, within the decentralized subsystem, the 
cryptogram cl at the end of step e, so as to compare it 
with the plaindata m, then by means of cl and of m to 
attack the algorithm Al' , and then gradually to 
backtrack up the coding chain. 

The concatenation is not necessary in the encoding 
subsystem, which is installed in a secure physical 
environment. It is on the other hand useful in the 
decentralized subsystem. In the ^ case of pay-per-view 
television, the IRD is in fact installed at the 
subscriber's premises and may be the subject of attacks 
of the predescribed type. 

It will be appreciated that an attack of a combination 
of three concatenated decryption algorithms Al' , S' and 
A2' has much less chance of succeeding than if the 
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cryptograms cl and c2 are fully reconstructed between 
each step d) / e) and f ) . Moreover, the fact that the 
algorithms Al' and A2' are used with public keys el, nl 
and e2, n2 implies that the means of computation 
5 required in the decentralized subsystem are much 
reduced as compared with those in the encoding 
siibsystem. 

By way of example and to fix matters, steps a) and c) , 
10 that is to say the encryption steps with private keys, 
are 20 times longer than the decryption steps d) and f) 
with piiblic keys- 

31 In a particular embodiment of the invention, derived 



15 from the previous one, the algorithms Al and A2 are 
identical as are their counterparts Al' and A2' . 



^3 In a particular embodiment of the invention, also 

^ derived from the previous one, in step c) the public 

20 key e2, n2 of the asymmetric algorithm A2 is used 

4!» whilst in step d) the cryptogram c3 is decrypted with 

^ the private key d2 of this algorithm. This embodiment 

□ constitutes a possible alternative when the resources 

® of the decentralized subsystem in terms of 

25 computational power are far from being attained. 

Although chip cards are used chiefly for decrypting 
data, there are also chip cards having the capacities 
required to perform encryption operations. In this 

30 case, the attacks described above will pertain also to 
these encryption cards which operate away from 
protected locations such as a management center. This 
is why the method according to the invention applies 
also to serial enc2ryption operations, that is to say 

35 that the downstream module begins its encryption 
operation as soon as part of the information delivered 
by the upstream module is available. This process has 
the advantage of interleaving the various encryption 
modules, and as a conseq[uence the result from the 
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upstream module is not completely available at a given 
time. Moreover, the downstream module does not begin 
its operations with a complete result but on parts, 
thereby making it impracticable to interpret the manner 
5 of operation of a module with respect to a known input 
state or output state. 

The present invention will be understood in greater 
detail by virtue of the following drawings, taken by 
10 way of non-limiting example, in which: 

- Figure 1 represents the encryption operations 

- Figure 2 represents the decryption operations 

- Figure 3 represents an alternative to the encryption 
P 15 method. 

4- In Figure 1, a data set m is introduced into the 

^1 encryption chain. A first element Al performs an 

h« encryption operation using the so-called private key, 

i- 2 0 composed of the exponent dl and of the modulo nl . The 

result of this operation is represented by CI. 
P According to the mode of operation of the invention, as 

S! soon as part of the result CI is available, the next 

S module begins its operation. This next module S 

25 performs its encryption operation with a secret key. As 
soon as it is partially available the result C2 is 
transmitted to the module A2 for the third encryption 
operation using the so-called private key composed of 
the exponent d2 and of the modulo n2 . The final result, 
30 here dubbed C3 , is ready to be transmitted by known 
pathways such as over the airwaves or by cable. 

Figure 2 represents the decryption system composed of 
the three decryption modules Al' S' , A2' which are 
35 similar to those which served for encryption, but are 
ordered in reverse. Thus, one commences firstly with 
the module A2' which performs its decryption operation 
on the basis of the so-called public key composed of 
the exponent e2 and of the modulo n2 . In the same way 




as for encryption, as soon as part of the result C2 
from the module A2' is available, it is transmitted to 
the module S' for the second decryption operation. To 
terminate decryption, the module Al' performs its 
5 operation on the basis of the so-called public key 
composed of the exponent el and of the modulo nl- 

In a particular embodiment of the invention, the keys 
of the two modules Al and A2 are identical, that is to 
10 say that on the encryption side, dl = d2 and nl = n2 . 
By analogy, during decryption, el = e2 and nl = n2 . In 
this case, one speaks of the private key d, n and of 
the public key e, n. 

15 In another embodiment of the invention, as illustrated 
in Figures 3 and 4, the module A2 uses the so-called 
public key instead of the so-called private key. At the 
moment of encryption, the public key e2, n2 is used by 
the module A2, (see Figure 3) and during decryption 

20 (see Figure 4) , the module A2' uses the private key d2, 
n2 to operate. Although this configuration exhibits an 
overhead of work for the decryption set, the use of a 
private key reinforces the security offered by the 
. module A2 . 

25 

The example illustrated in Figures 3 and 4 is not 
restrictive in respect of other combinations. For 
example, it is possible to configure the module Al so 
that it performs the encryption operation with the 
30 public key and the decryption with the private key. 

It is also possible to replace the encryption/ 
decryption module having secret key S with a module of 
the type with asymmetric keys of the same type as the 
35 modules Al cuid A2 . 



CLAIMS 

Method of encryption- and decryption using several 
encryption/decryption modules in series, 

characterized in that the downstream encryption/ 
decryption module begins its operation as soon as 
part of the result from the upstream encryption/ 
deciiYption module is available. 

Method according to Claim 1, characterized in that 
the downstream decryption module begins its 
decryption operation as soon as part of the result 
from the upstream decryption module is available. 

Method according to Claim 1, characterized in that 
the downstream encryption module begins its 
encryption operation as soon as part of the result 
from the upstream module is available. 

Method according to Claims 1 to 3 , characterized 
in that it implements three modules (Al , A2) , 

the central module (S) being of the type with 
secret symmetric key (k) . 

Method according to the preceding claim, 
characterized in that the first module (Al) and 
the last module (A2) in respect of encryption and 
the first module {A2) and the last module (Al) in 
respect of decryption are of the RSA type with 
asymmetric keys i.e. with a private key and a 
public key. 

Method according to the preceding claim, 
characterized in that the two modules (Al, A2) use 
the so-called private key (d, n; dl, nl; d2, n2) 
for encryption and the so-called public key (e, n; 
el, nl; e2, n2) for decryption. 
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Method according to the preceding claim, 
characterized in that the two modules (Al, A2) use 
the same private key (d, n) and pviblic key (e, n) 
set . 

Method according to Claim 6, characterized in that 
the two modules (Al, A2) use a different set of 
private (dl, nl; d2, n2) and public (el, nl; e2, 
n2 ) keys • 

Method according to Claim 5, characterized in that 
during encryption, the last module (A2) uses the 
so-called public key (e2, n2) and during 
decryption, the first module (A2) uses the so- 
called private key (d2, n2) . 

Method according to Claims 1 to 3 , characterized 
in that it implements three encryption/ decryption 
modules (Al, A, A2) with asymmetric keys. 




ABSTRACT 



When using an encryption/decryption module, there are 
methods in existence for determining the key or keys 
used by the module by analyzing the data entering or 
leaving the module. To alleviate this defect, the 
proposed mult i -module method consists in the downstream 
module beginning its encryption/decryption operations 
as soon as part of the results from the upstream module 
is available. 
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